Officials at Michaels, the large craft and home goods retailer, are investigating a potential data breach that has apparently affected an unknown number of cards used in the chain’s stores in the last few weeks. The company has released very little detail about the compromise but said that it is still investigating the incident.
The apparent intrusion at Michaels is the latest in a string of data breaches at large retailers in the last few months, a run that started with the attack on Target in the fall that compromised financial and personal information of as many as 110 million customers. That breach reportedly involves malware being installed on point-of-sale devices in a number of the company’s stores. There also was an intrusion at Neiman Marcus around the same time, beginning in July and lasting through October and resulting in the compromise of data belonging to 1.1 million people.
The scope of the Michaels breach is unknown at this point, and company officials said they’re still not sure whether the attack was on their network or somewhere else in the payment ecosystem.
“We are concerned there may have been a data security attack on Michaels that may have affected our customers’ payment card information and we are taking aggressive action to determine the nature and scope of the issue,” said Chuck Rubin, CEO of Michaels. “While we have not confirmed a compromise to our systems, we believe it is in the best interest of our customers to alert them to this potential issue so they can take steps to protect themselves, for example, by reviewing their payment card account statements for unauthorized charges.”
“Throughout our 40-year history, our customers have always been our number one priority and we deeply regret any inconvenience this may cause. The privacy and security of our customers’ information is of critical importance to us and we are focused on addressing this issue.”
Retailers always have been a prime target for attackers, thanks to their huge databases of customer information and payment-card data. There has been a push in the security industry to shore up the security of retailers’ networks, especially focusing on the use of encryption. But attackers have been able to find ways around these obstacles. One of the interesting aspects of the Target data breach that has attracted a lot of attention is the attackers’ use of malware known as BlackPOS that has the ability to grab payment data from the POS terminals just before it’s encrypted. That capability defeats the protection that end-to-end encryption is meant to offer, allowing attackers to circumvent one of the key defenses retailers employ.
Image from Flickr photos of Aranami.
